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1 . I am of majority age and otherwise oomp&^mt to testtl^ as to the matters herein^ 
based on my personal knowledge smd infonhation provided to me in the course of my 
en^loymmt 

2, I am the D^uty Associate I>$utyAs^jS^^^ forthe 
Office of Cyfo^ aDid Infdnnation Security (OCIS) in the Qf£^ of Ihfomiation Technology. I 
have held this piisitioii stnee May 6f 200S* I hav<£ over ten (1 0) ye;3r$ of experience in the areas 
of seciidty and secority awareness tratnifig. 

3. As the Deputy Associate Deputy Assistant Secrrtaiy, I am the agency ofGcial in 
charge of VA's Office of Cyber and IhfomiatiDn Security (OCiS)> which provides cyber security 
guidance and oversight to VA organizations^ as well as policy, procedure, rq;}orting, and 
oversight support for all VA cyba* security, 

4, In order to ensure that all VA personnel who access VA data are aware of and 
adhere to all applicable authorities regaidmg the proteic^n of VA computer systems and data, 
OCIS developed the Cyber Security Awareness Course (**Securify Course"). This training is 
specifically required by fee Compute Security Act of 1987, Pub. L, 100-235 (HJL 145), which 
mandates that all federal agencies provide annual training in contput^ security awareness. 
Furthermore, the Federal Moiination Security Management Act (FlSMA), 44 USC 3544(b)(4), 



requires agencies to provide periodic training iii cdihputer security awareness and accepted 
computer practices for all ^propriate personnel 

5. The Security Course is required annually of VA employees, contractors, 
volunteers, interns, and others who utiUze VA computers, networics, and electronic infomiation 
systems to perform their job duties* Along with pamphlets^ posters, and other material pr^ared 
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and distributed by OQS to prcmote the awareness of computer security, the course provides 
awareness of k^ security i:>racti^Des and procedures to ei^ure the confidentiality^ Integrityi and 
appropri^ availability of private data, the timely and uniiifeerfuiit^ flow of infoimatioti 



throughout the d^artment, and the pjfotb^on of VA infonnatioii systeitis fix>m the potential of 
£raud, waste and abuse. 

6, The Security Course instruct users on how to create passwords in a manner that 
maintains their security effectiveaess; recogni2:e ccmMesltial infomiation and handle it in a 
manner eonsistent with VA Policy; cdtnply Willi cyber saecurity requuements that protect an 
individuars privacy; practice tndi vidiail ^dns ihei tiisure sensitive data are backed up; 
recognize dangerous activitira when using e-mail; report suq>ected cyber security incidents to the 
ISO; recognize tiiat VA*$ infijrmation is an mqioitmtt peort of the nation's mtical infiastructure; 



know when an attempt is made to extract information without authorization; identify instances 
where the use of VA*s infomiation r^ourci^ is not au&ori^ed uiuier the concept of "limited 
Personal Use"; and deteraoine wl^a omiputOT gear needs b be thoroughly "scrubbed." 

7. The courise infottns u&&t& of laws designed to protect the individuals whose data 
the users works with on a day-to-day basis. Jn addition^ it instructs users to adhere to and verify 
established procedures and cautions them of inteflttonal or unintentional misuse or iniy>propriate 
use of VA data or resources^ for which eleven (1 1) exan4)les are provided. 

8. To ensure that all VA pasonnel widi aoc^£$ to VA data complete the training, the 
Security Course is available in several formats. The online training is available both through the 
intranet, for V A (Snployees^ and the internet, for those without access to the VA intranet It is 
organized into eleven (1 1) lessons and several short quizzes that mu^ be tak^ in sequential 
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order: 1, Know Your ISO, 2. Passwords, 3, Confiiieatiality, 4. Privacy, 5. Backups, 6, Email, 7* 
Viruses, 8. Incideiit;^ 9. Infirastructur« Prbtectiofi^ 10. Sodal.Engiiieeiifig, and 1 1 . Authorized Use. 



9. The course iiistHicts users t£> $igii hi and enroll online hv the program, review and 
complete all course lessons, and complete Ibe C0iu£Sw evaluation. Us^s must then print the 
certificate of completion at the tM of the course and suboiitit to their supervisor, facility 
education office, or information security pfBcer. 

10. In addition to thi^ online training, a video version of the training is available by 
satellite broadcast, and a text v^ion of the training tuay be {Hrinted and distributed to the veiy 
few users unable to complete the oth^ verstdniS. Both v^idns contain the same basic 
information as the online coui^ Users of ti$»e versions must certify to their supervisor, facility 
education ofBce, Or infoitnation s^urity officer idiat th<^ have completed the mandated security 
awarmess training. 



1 1 . Some VA faciUtieS h^ve developed ficibty-^s^ific cyb^ security awareness 
training, which fulfills the sebiMty awareness training re^uipcmefit as long as: the length of the 
course is a minimum of one contact hour, the ccmt^m is provided in an interesting and 
informative manner, the trainii^ includes all relevant ci^tent presented in the Cyber Security 
Awareness Course develop«l by OCIS; and conipletiDn of the training is tracked electronically 
for reporting compliance. 

12. The VA Employee Education System (EES) administers the Cyber Security 



Awareness Course developed by OCIS. To track the completion of ^ training by all 
appropriate personnel and ensure that the security awaros^^ training requirement is fulfilled 
department-wide, EES us^ an online portal that shows Ssfr each user the status of completed and 
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incomplete courses, 

13. Attached as exhibit A are true and conectoofiiie^Qf screen piiittouts £rom the 
Cyfoer Secimty Awareneis^ Course described in paragraphs 3 — 7 above. 



14. The certificate of security awareness fi^isSjiiiig is effective for one fiscal year» since 
the course mu^ be completed every year. Coftipli^oiL of the training is tracked for e^h user 
through bh online portal maintained by the VA Employee EducotiiDti System (EES). 



1 5 . The certificate of John Doe (the VA ett^lpyoc whose home was burglarized and 



whose personal l^top compute and external haid drive containmg VA data were stolen), as 
provided to me by EES, indicates that he fulfilled the requirement fbr security awareness training 
by successfully completing the online ver^on for the Cyfo^r Security Awareness Course for fiscal 
year 2006 on March 3 1 , 2006. 

1 6. Attached as exhibit B is a true and <;^irect redacted copy of John Doe^s certificate, 
as provided to me by EES, indicating his completion of the online version of the Cyber Security 
Awareness Course for 2006* 

17, An additional certificate of John Do«» as provided to me by EES» indicate that 
John Doe fulfilled this requirement for previous years by ccmipleting the online version of the 
Security Awareness Course for 2005 on Jio^ 8^ 2005. 

IS. Attached as exhibit C is a true and correct redacted copy of John Doe*s 
certificates, as provided to me by BBS, indicating his completion of the online version of the 
Cyber Security Awareness Course for 2005 . 



I declare undo" the penalty of perjury that the fore^mg is true and correct 
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DATED CAROL WD-UAMS 



I 



I 
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Cyber Security Awareness FY-06 (Intranet) 

Welcome and Introduction Page i of i 

vVciv-ui iic Lu Liic vcLefaii:^ Miiaii:^ ^vm; v_^ii n„c ui v^yuei ciMU iiiiUiiiidLiui! ocuui iLy MWcif Ci it^bb 

Training Cpurse. Tine Federal Information Security Managennent Act (FISMA) 44 USC 
3544(b)(4) mandates that each federal agency provide periodic training in computer 
security awareness and accepted computer practices for all employees, contractors, and 
volunteers. This training meets those requirements. The course is designed to take 
approximately 1 hour. 

This course will help you to understand the responsibilities you have to protect VA's 
information assets, especially information about our veterans and it shows you ways to 
meet these responsibilities. 

Successful completion of this course will fulfill your requirement for annual information 
security awareness training established under public law, VA policy, and other requirements. 

PRIVACY STATEMENT - Read before you continue with the course 

This course is mandatory for all VA employees, contractors and volunteers and any persons 
that utilize VA computers, networks, and electronic information systems. This training is 
posted and refreshed annually. All new employees, contractors and volunteers are required 
to take this training within 30 days of joining VA. 

A team of subject matter experts from the VA Office of Cyber and Information Security 
(OCIS) and VA Employee Education System (EES) created and developed this training. 

Basic Course Information: 

Your registration information will be safeguarded in the same manner as all other EES 
courses and In compliance with VA Privacy requirements. See vaww.va. qov/privacy for 
additional information. 

You may leave the course at any time. Your progress through the course will be saved and 
you will be provided a link to the location you left when you re-enter the course. 

You do not have to register again. You may read information about this course the brochure 
by clicking on the link on the main menu bar or the next button at the top and bottom of 
the screen. 

Common Questions and Answers before you start: 

The best way to view this training is with Internet Explorer 4.0 or higher, a monitor 
resolution of 800x600 and displayed at 256 colors. If you have additional hardware or 
software technical questions, please ask your local Information Systems Support Staff or 
Education Contact to assist you. If needed, one of them will contact the local system 
administrator. 

For navigation details about the course, click on the help button. 
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If you have questions on how to use your Internet Browser, difficulty accessing the network 
or difficulty printing pages fronn the browser contact your local Infornnation Systenn Support 
Staff. 

If you are ready to begin the course just click on Next located at either the top or bottonn of 
this page 
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Course Brochure Page 1 of 1 

Department of Veterans Affairs 



Employee Education System 

and 
Office of Cyber and Information Security 

presents 

VA Cyber Security Awareness 

Course ID: 06.MN.SH.OCISW.A 
VA National Catalog Number: ITECH-EES-F249 

Place: An I ndependent Study on the EES On Learning Web Site. 

Purpose: 

This program addresses key security practices and procedures and incorporates the Office of 
Cyber and Information Security top initiatives that all VA staff, contractors and volunteers 
need to be aware of to protect VA's information assets. The Federal Information Security 
Management Act (FISMA) 44 USC 3544(b)(4) mandates that each federal agency provide 
annual training in computer security awareness. The completion of this course satisfies that 
requirement. 

Outcome Objectives: 

Upon completion of this program participants will be able to: 

1. identify the ISO and situations in which it is important to make contact; 

2. create passwords in a manner that maintain their security effectiveness; 

3. recognize confidential information and handle in a manner consistent with VA Policy; 

4. comply with cyber security requirements that protect an individual's privacy; 

5. practice individual actions that ensure sensitive data are backed up; 

6. recognize dangerous activities when using e-mail; 

7. report suspected cyber security incidents to the ISO; 

8. recognize that VA's information is an important part of the nation's critical infrastructure; 

9. know when an attempt is made to extract information without authorization; 
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10. identify instances where the use of VA's infornnation resources is not authorized under 
the concept of "Linnited Personal Use;" and 

11. deternnine when connputer gear needs to be thoroughly "scrubbed." 

Target Audience: This course is for all VA staff, contractors and volunteers who use a 
connputer to perfornn their job duties. 

Accreditation/ Approval: None 



Continuing Education Credit 

Employee Education System 

The VA Ennployee Education Systenn designates this educational activity for 0.5 contact 
hour. 

In order to receive a certificate fronn Ennployee Education Systenn (EES) you nnust sign in 
and enroll on line for this progrann, review and connplete all on-line course nnodules, 
connplete the post test, connplete the evaluation and print your own certificate at the 
conclusions of the progrann (certificates will not be nnailed). EES cannot issue certificates for 
less than 100% participation as required by accrediting body regulations. 

Report of Training: It is the progrann participant's responsibility to ensure that this 
training is docunnented in the appropriate location according to his/her locally prescribed 
process. 

This Independent Study Includes: Web based training nnaterials and Progrann Evaluation 

Independent Study Implementation Procedure: The web based training nnaterial and 
evaluation can be connpleted using the VA Intranet. The address is 

https://vaww.ees.aac.va.gov 

NOTE: If you experience difficulty reaching this web site, please contact the Help Desk via 
e-nnail at eeslibrixhelp@lm.va.gov. You nnay also contact your local connputer support staff 
for assistance. 

NOTE: I n order to connplete the progrann, your connputer nnust have I nternet Explorer 4.0 or 
Netscape 4.0 or higher. 

After you take the test, you will receive innnnediate feedback as to pass or fail. Upon 
connpleting the course and the evaluation, you will be able to innnnediately print your 
certificate according to instructions. 



Program Content Outline 
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Introduction 
Know Your ISO 
Passwords 
Confidentiality 
Practice Exann 1 
Privacy 
Backups 
Ennail 



Practice Exann 2 
Viruses 
Incident 

Infrastructure Protection 
Practice Exann 3 
Social Engineering 
Authorized Use 
Practice Exann 4 



Faculty and Planning Committee 



Terri Cinnannon 

Teann Leader, TEAP 

The Office of Cyber and Infornnation 

Security 

Martinsburg, WVA 

Greg Dutkowski 

Connputer Specialist 

Office of Cyber and Infornnation Security 

Salt Lake City, UT 

Susan Hotzler, MA 

Project Manager 

Ennployee Education Systenn, Minneapolis 

Minneapolis, MN 



Raynnond Spry, MBA & MSOD 

New Media Producer 

Ennployee Education Systenn, Salt Lake 

City 

Salt Lake City, UT 

Lisa Holland 

Connputer Specialist 

Office of Cyber and Infornnation Security 

Washington, DC 



Project Manager 

Susan Hotzler, MA 

Progrann Manager 

Minneapolis Ennployee Education Resource Center 

Minneapolis, MN 

Program Support Assistant 

Margaret Gephardt 

Progrann Support Assistant 

Minneapolis Ennployee Education Resource Center 

Minneapolis, MN 

Media Support 

Raynnond Spry, MBA & MSOD 

Senior Instructional Systenns Manager 

Salt Lake City Ennployee Education Resource Center 

Salt Lake City, UT 
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Section 508 of the Rehabilitation Act 

The Employee Education System wishes to ensure no individual with a disability is excluded, 
denied services, segregated or otherwise treated differently from other individuals attending 
this workshop because of the absence of auxiliary aids and services. If you require any 
special arrangements to attend and fully participate in this educational activity, please 
contact Susan Hotzler, Project Manager, EES, Minneapolis Employee Education Resource 
Center, phone 612-725-2000, 4549 or by e-mail Susan.Hotzler@lrn.va.gov 

Disclosures 

The Employee Education System (EES) must insure balance, independence, objectivity, and 
scientific rigor to all EES sponsored educational activities. The intent of this disclosure is not 
to prevent faculty, author, planning committee member or presenter (discloser) with a 
significant financial or other relationship from presenting materials, but rather to provide 
the participant with information on which they can make their own judgments. It remains 
for the participant to determine whether the discloser's interests or relationships influence 
the materials presented with regard to exposition or conclusion. When an unapproved use of 
a FDA approved drug or medical device, or an investigational product not yet FDA approved 
for any purpose is mentioned, EES requires disclosure to the participants. 

Each faculty and planning committee member (author, facilitator, and moderator) reported 
having no financial relationships or interests with any commercial topics that are discussed in 
this activity. This activity includes no discussion of uses of FDA regulated drugs or medical 
devices which are experimental or off-label. 
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Welcome and I ntroduction 



Page 1 of 2 




"Cyber Security Awareness" is the knowledge that VA 
ennployees, contractors, and volunteers utilize to protect 
VA connputer systenns and data. It is nnore than policies, 
procedures, rules, and regulations. Cyber Security 
Awareness refers to the personal responsibility each of us 
assunnes for ensuring: 

• the confidentiality, integrity, and 
appropriate availability of veterans' private 
data, 

• tinnely and uninterrupted flow of infornnation 
throughout the VA enterprise, and 

• VA infornnation systenns are protected fronn 
the potential of fraud, waste and abuse. 



Please be aware of any activity that nnight violate and/or connpronnise the security of VA 
infornnation systenns. Report all incidents to your infornnation security officer. 




This VA Cyber Security Awareness course is 
provided for all VA ennployees, contractors, 
volunteers, and anyone who nnay have access to 
any VA infornnation systenn including the 
personal veteran infornnation and corporate data 
stored in such systenns. Successful connpletion 
of this course will fulfill your requirennent for 
annual infornnation security awareness training 
established under public law, VA policy, and 
other requirennents. Rennennber that, while the 
infornnation you review in this course is specific 
to the Departnnent of Veterans Affairs, nnany of 
the principles which are discussed are also 
relevant to you, as an individual connputer user. 



The inclusion of risk concepts and related practices in the VA Cyber Security Awareness 
Training Course pernnits the unification of high level legislation and policy issues with 
systenn level controls, nneasures and nnetrics. As such, the addition of risk elennents can be 
used to augnnent the current course elennents and also provides an opportunity to introduce 
a policy-driven frannework and fornnat. 
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How This Course Works 
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The course contains 11 lessons. You'll also find several short quizzes interspersed between 
the lessons. You nnust review each lesson and take each quiz. Don't worry, the progrann 

only tracks that you connplete the course, not your scores on the 
quizzes. You do not have to achieve a certain score to successfully 
connplete the course. 

When you are finished, you will be asked to connplete a course 
evaluation. Then, you'll receive a certificate of connpletion. You 
should print and keep the certificate to show you have successfully 
connpleted this required training. 




This course is best viewed with Internet Explorer. 

If you need to leave the course, you nnay always conne back and start where you left off. 
When you log back in, you will be offered a nnenu with links to select where you left off, or 
start at the beginning of the course, or exit the systenn. 

If you lose your certificate, you can always conne back to the course and select the "end-of- 
course" link. Fronn there, you can print out another certificate. 

Please read the "Course Brochure" page before you begin. If you need assistance at any 
tinne, please click on the Help button located on the progrann nnenu. 
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Know Your I SO 
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Do you know all the rules and requirennents you should follow to keep VA's 

infornnation secure? 

Do you know what to do if your connputer is infected with an electronic virus? 

If you witnessed sonneone using VA's connputers for theft or fraud, what would you 

do? 

Do you know your responsibilities for nnaintaining confidentiality and privacy? 

Are you sure that your work is backed up and safe? 

• Do you know your role in your facility's contingency 
plan? 




website for the ISO Directory, 



There is sonneone available to help you - your facility 
Infornnation Security Officer (ISO). Every VA facility has an 
assigned ISO who can help answer these questions and 
nnore. 

It is innportant to know that we are all responsible for 
infornnation security. Your ISO is a great resource for 
learning about those responsibilities and how to react if you 
beconne aware of a problenn. 

If you do not know your ISO, ask your supervisor or you 
can visit the Office of Cyber and Infornnation Security 



Risk Awareness 

In order to effectively nnanage risk it is essential to know how to identify when risk is 
increased beyond what is reasonably expected of the situation you find yourself in. To 
establish this, it is helpful to know which processes are necessary to carry out each task and 
which job functions are responsible for the process being carried out. It is innportant that 
you know where to look for procedures, processes and guidelines for operational risk, 
infornnation risk and security controls relating to your job function. When you are fanniliar 
with this infornnation you will be able to respond quickly and effectively when you are 
suspicious about sonneone's actions, even if the other person is your supervisor. 
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Passwords 
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Passwords are important tools for protecting VA infornnation systenns and getting your job 
done. They ensure you have access to the infornnation you need. Keep your password secret 
to protect yourself and your work. If you have several passwords, it is pernnissible to record 
and store thenn in a safe place, to which only you have access. 

Password Requirements 



Passwords nnust: 







Be constructed of at least eight characters (i.e., Gabcl23&) 
Use at least three of the following four kinds of characters: 

o Upper case letters (ABC.) 

o Lower-case letters (...xyz) 

o Numbers (0123456789) 

o "Special characters," such as #, &, *, or @. 
Be changed at least every 90 days. 



Using these rules will provide you with a "strong" password. VA requires strong passwords 
on all infornnation systenns. 

Password Theft 

Passwords can be easily stolen or duplicated if constructed poorly. Most password thefts 
occur as a result of poorly constructed passwords or social engineering. We'll discuss social 
engineering later in this course. 

Poor Password Construction 

Many factors can contribute to poor passwords. Sonne of the nnost notable are: 

• Passwords that are not "strong," as explained above. 

• Use of connnnon words easily obtained fronn a dictionary. 

• Passwords referring to your personal life (for exannple, nannes of fannily 
nnennbers or pets). 

Easily identifiable passwords are an open invitation to hackers. 
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Rules of Thumb for Passwords 
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• Don't use words found in a dictionary. 

• Follow the rules for strong passwords. 

• Don't use personal references (nannes, 
birthdays, addresses, etc.) 

• Change your passwords at least every 90 
days. If you suspect that sonneone is trying 

or nnay have obtained your password, change it innnnediately, and infornn your 

infornnation security officer. 

Be sure nobody can watch over your shoulder while your type your password. Ask 

thenn to turn away while you type. Position your keyboard so that it is not easy to 

see what you type. 

If you have a nunnber of passwords to rennennber, you nnay want to write thenn down. 

You nnust securely lock thenn away where they cannot be accessed by others. 

Help to ensure that passwords and accounts for ennployees, volunteers, contractors, 

and students are ternninated within 24 hours of their departure. 



Remembering Passwords 

Since childhood, nnany people have used sinnple rhythnns to rennennber things. Can you 
rennennber how you learned the alphabet, nnonths of the year, state capitols, etc.? This 
technique is called "nnnennonics." Below is an exannple of a nnnennonic used to rennennber the 

planets of our solar systenn: their order is the rhythnn: 




"Mary Very Easily Makesjann Saturday Unless No Plunns' 

Helps you to rennennber 
Mercury, Venus, Earth, Mars, J upiter, Saturn, Uranus, Neptune, Pluto 



It nnay sound silly, but it works. Your nnennory nnakes sensible links between infornnation, 
fitting facts into nnental structures and franneworks. Building a sinnple nnnennonic nnay not 
work if it does not nnake sense, but it only needs to nnake sense to you. 

Mnennonics are a useful tool in constructing passwords that cannot be found in a dictionary, 
How about using this as a password for the nnnennonic above: 

MVEMJS,unp 

For nnore infornnation about passwords, ask your Infornnation Security Officer (ISO). 
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Risk Awareness Page 3 of 3 

Using the correct username and password connbination is the prinnary nnethod in the VA of 
identifying and nnanaging access to systenns and connputer progranns. 

Usernanne and password connbinations provide a guarantee that you are who you say you 
are. Through security and access rules built into connputer progranns and systenns, your 
usernanne and password also protects you fronn being able to carry out actions which are 
beyond your level of authorization. 

Once the details of your usernanne and password have been shared with others, you have 
lost control over how they nnay be used or abused. You are held solely accountable for your 
account access. No one other than yourself should know or have access to your 
password(s). 

Most infornnation systenns have several ways to control usernanne and password 
connbinations in ternns of connplexity, life, usage or repetition. All of these controls are of 
little use if a systenn user loses or gives this password away. 

It is worth noting that in nnost cases, usernannes are very easy to get and tend to follow a 
pattern which relates directly to your own nanne. This is a necessary risk. Therefore, 
constructing strong passwords and nnaintaining their confidentiality is of great innportance. 
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Confidentiality 
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In VA, confidentiality is a nnust. Perhaps you have wondered what this nneans and what you 
need to do about it. Confidentiality is the condition in which VA's infornnation is available to 

only those people who need it to do their jobs. 



Breaches in confidentiality can occur if you walk away fronn your connputer 
without logging off or when paper docunnents are not adequately controlled. 
They sonnetinnes occur when you are accidentally given access to too nnuch 
connputer infornnation. Put another way, breaches can occur when sonneone 
has access to infornnation that they do not need to do their jobs. 
Conversations about veteran's cases in public places such as elevators and 
hallways can be a breach of confidentiality. 



VA's connputers are designed to protect confidentiality, but rennennber that 
there are things you can do, and things you should not do, to protect confidentiality. 
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Computer Disposal and Confidentiality 
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Getting rid of old computer equipment? Be careful! We in 
VA often look for ways to assist the community; it's one 
of the best things about us. 

Not long ago, some VA computers containing patient 
data and other information were inadvertently released 
into the community. This created an unacceptable and 
very serious breach of confidentiality. Imagine seeing 
your own personal information on a used VA computer 
that was donated to a school! While it is usually the 
responsibility of Information Technology (IT) staff to 
ensure the complete erasure of data before disposal of 
equipment, there are things you can do to help. 



• When possible, store your data on network drives instead of your desktop 
computer. 

• If you notice computers being excessed without full data erasure, let your ISO 
know. 

• Know that the "delete" command cannot remove all traces of data from your 
computer. 

To address the problem of removing all data from computers prior to disposal, VA's Office of 
Cyber and Information Security has purchased a special software tool called On Track Data 
Eraser. This tool prepares computers for proper disposal by "overwriting" the data on a hard 
drive several times. This process obliterates and makes the data irretrievable in any form. 
Every VA facility has received this tool for the IT staff to use. Working together, we will 
ensure that this never happens again! 

Your ISO can help you find other ways to secure your data. For more information, contact 
your facility Information Security Officer (ISO). 
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Risk Awareness Page 3 of 3 

In isolation, keeping each process or piece of infornnation confidential nnay not seenn to be 
critically innportant. In reality, individuals inside and outside the VA who would attennpt to 
breach confidentiality, nnay collect seenningly insignificant fragnnents of infornnation which, 
like a jigsaw puzzle, can be put together later to reveal a connplete picture- a picture of VA. 

Breaches of confidentiality nnay occur innnnediately or in sonne cases, over extended periods 
of tinne, by collection of data and process infornnation over nnonths and sonnetinnes years 
before systenns are connpronnised. 
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Practice Exam 1 Page 1 of 1 

Lesson 1 - Know your I SO 

If you think your workstation has been infected with a virus, you would contact: 

a. Your connputer nnanufacturer 

b. Your Infornnation Security Officer (ISO). 

c. Norton Virus Protection, Inc. 

d. Your Service Chief. 

e. None of the above. 

If you saw sonneone using a VA connputer to connnnit fraud, you would call: 

a. Your friend down the hall. 

b. Nobody, because it is not your business. 

c. Your Service Chief. 

d. Your Infornnation Security Officer (ISO). 

e. All of the above. 



Lesson 2 - Passwords 

Which of the following Rules of Thunnb for passwords do not apply: 

a. Do not use words found in any dictionary. 

b. Do not use personal references (for exannple: nannes, birthdays, addresses) 

c. Have your friend keep a copy of your password in case you forget. 

d. Keep passwords secret. 

e. Follow the rules for creating good, strong passwords. 



Lesson 3 - Confidentiality 

Hitting the Delete key on your connputer will erase the infornnation fronn your connputer 
connpletely. 

a. True 

b. False 

Hitting the Delete key on your connputer will erase the infornnation fronn your connputer 
connpletely. 

a. True 

b. False 
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Privacy 

As Americans, we have fundamental expectations for privacy. The 
right to privacy is even built into our Bill of Rights as a basic 
human dignity afforded citizens. 



Page 1 of 2 



Billofl{i(|ltf 






Privacy has a special legal meaning for government agencies. The 

Privacy Act requires that we as government employees take 

special care when we provide information to anyone about our 
veteran employees and other customers. Providing personal 

information to anyone, including veterans themselves, must be done only by persons 
authorized to do so. The same applies to requesting and receiving information about 
ourselves as employees and/or as veterans. Care must also be taken to assure that 
recipients of information are authorized to receive that information. As VA employees, we 
must follow legal procedures for disclosing and receiving information. These procedures 
ensure that information is distributed in a responsible manner and that VA accounts for the 
transaction. 



I nformation Privacy, Security, and the VA i^lission 

Part of the VA mission is to ensure America's veterans receive 
medical care and benefits with dignity and compassion. To 
accomplish this, VA gathers all kinds of information from and 
about its beneficiaries. Much of it is related to health care, 
military service, finances, education, and other personal 
information. Lest we forget, something as simple as a veteran's 
home address and phone number is privileged information. The 
Privacy Act requires that we as government employees follow 
proper procedures when we provide information to anyone 
about veterans and others. If you handle health care 
information in your job at VA, you need to know about HI PAA. 
HIPAA grants rights to individuals and imposes obligations on 
organizations. For more information on Privacy and HIPAA you 
can go to the Privacy Awareness course or contact your local 
Privacy Officer. 
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Helpful Guidance for Handling Privacy Requests 



Page 2 of 2 



If another VA employee asks you for veteran infornnation under your control, your response 
nnay depend on several things, including: 






The purpose of the request 

The authority of the individual nnaking the request 

The established procedures for nnanaging the request, 



If the request does not follow the standard procedures that you are fanniliar with, do not 
hesitate to consult your supervisor for directions prior to accessing or disclosing any 
infornnation. 

A Little Curiosity Can Be Harmful... 

...Don't let it hurt you, any veteran, or your coworkers. 

It is hunnan nature to be curious. We all nnay have occasional urges to find out a little bit 
nnore about each other. When tennpted to delve into personal infornnation about veterans 
you conne in contact with or ennployees you work with, the best advice is stop and consider 
your actions: 

• Do you have a need to know in order to do your job? 

• The person you are curious about has the right to be treated with respect, 
dignity, and have their privacy nnaintained. 

• Unauthorized access or use of veteran, ennployee, or enterprise infornnation 
entrusted to VA is a serious offense. Disciplinary action can be brought 
against you as well as legal action that could result in civil and felony 
punishnnent. 

Through established policies and procedures, VA has developed nneasures to protect the 
privacy and confidentiality of veterans and ennployees. Policies and procedures are only as 
good as the individuals who innplennent and follow thenn. Your infornned knowledge and 
professional experience is the best defense against unauthorized use and disclosure of 

infornnation. 




Requests for infornnation fronn the public, nnedia (newspapers, or 
radio and television stations), and others nnust be handled in a 
nnanner that protects the privacy of veterans, their fannilies, and 
confidential corporate infornnation. Such requests nnust be referred 
to the appropriate official at your facility. 

If you have questions about privacy in VA and your responsibilities 
as an ennployee, contact your supervisor. Privacy Officer, or 
Infornnation Security Officer (ISO). 
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Risk Awareness 

Privacy laws are designed primarily to protect the people whose data you work with on a 
day-to-day basis. The laws are there to ensure that veterans and their beneficiaries have 
recourse against intentional or unintentional nnisuse and abuse of protected data. Your 
protection within the VA is to adhere to the procedures and check when you are unsure of 
how to handle infornnation. If you deviate fronn the established procedures, you and/or the 
VA could potentially beconne liable for any losses incurred in the event of legal action. 



Page 19 of 40 



Case 1 :06-cv-01038-JR Document 15-21 Filed 1 1/20/2006 Page 26 of 48 



Backups 
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The work you do on VA's computers is important. It is important 
to you because of the time and effort expended to create it. It is 
important to VA and to veterans because it supports our mission. 

Is your worl< "bacl<ed up" and safe from loss? In most VA facilities, 
systems managers have created ways to ensure your work is 
saved in several places (backed up) so it is not lost. You should 
make sure your work is backed up. Making a copy of files for the 
purpose of having them available in case of a computer failure is 
called "backing up" or "creating a backup." Backups are done to a second storage medium 
such as a diskette, zip disk, CD, tape or the preferred method to your network drive. You 

should be sure to lock away the information in a secure area if it 
contains sensitive data. 



Information systems managers take purposeful steps to ensure 
that VA data is safe by systematically and routinely creating 
database backups on systems such as VistA, BDN, and others. It 
may not be reasonable to expect IT staff to be responsible for 
backing up the information on the computers of every user in your 
facility, so you may need to assume this responsibility yourself. If 
you are at all unsure if your work is backed up, contact your ISO. 
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Backups 

Helpful suggestions to assist you in backing up your files: 
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The nnost innportant files to backup are the ones you create such as word processing, 

spreadsheet, and presentation files. At honne, you will want to back up your financial 

files (Quicken, Money, TurboTax, etc.). 

Software progranns do not need to be backed up. They can usually be reinstalled 

fronn the original nnedia. 

Store the files you create in a single location on your connputer such as the "My 

Docunnents" folder. Doing so will nnake it easier to quickly create your backup. If you 

store your files in nnany different locations, it will be nnore tinne consunning to locate 

thenn and nnay prevent you fronn routinely backing up all of your files. 

Set a schedule for backups appropriate to your needs. Sonne people nnay need to 

create daily backups. For others, weekly or even nnonthly nnay be adequate. Don't 

risk any nnore data to inadequate backups than you are willing to lose or have to 

recreate. 

After creating a backup, verify that you can access your storage nnediunn and open 

the files on it. 

Storage nnedia wear out, especially nnagnetic nnedia. It is like watching an old nnovie 

on filnn or videotape. The recorded signal gradually wears out resulting in a grainy or 

unstable picture. This happens over tinne. Rotate your storage disks and periodically 

replace thenn with new disks or new technology. 

Clearly identify the files on your storage nnediunn. Trying to find a specific file in a 

pile of unlabeled disks is tinne-consunning and risky. 

• Store your backups in a safe and secure place. 

The nnost reliable connputers are apt to eventually fail as a result of 
age, heat, dust, or nnechanical failure. 

Backups are cheap insurance. The question is not if you will ever 
need to use your backup. Instead, the question is when. 

Ask your supervisor or Infornnation Security Officer (ISO). They 
can tell you if your work is safe and can help you create a way to 
routinely back it up. 

Risk Awareness 

Private and uncontrolled nnedia fronn backups nnay present a security risk if left unprotected 
or in places where access to thenn is unrestricted. Great care is taken to nnanage and 
protect data while it is on the VA network but all this can be for nothing if the backup nnedia 
is unprotected. Backups are not only useful in the event of connplete loss, by nanning files in 
nunnerical sequence, each stage of creation or nnodification of a docunnent can be preserved 
in several iterations. Backup services are available on nnost networks for centrally stored 
and nnanaged files. In nnost cases, locally stored files will not be backed up by network 
backup services. This is innportant if local files need to be protected as part of a separate 
local backup routine. 
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E-mail 
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In VA, e-mail has become a vital tool in conducting our business. Proper use of VA electronic 

mail is essential to ensure this resource is uninterrupted and used in legal ways. Chain 

letters and hoax messages rob us of valuable 

network capacity, computer space, and processing 

speed. You should not forward these messages to 

others. In fact, don't even request the sender stop 

sending you messages. J ust delete them. These 

"please stop" messages sent by the thousands slow 

down our e-mail systems! Sensitive information 

should not be sent using e-mail unless it can be 

done securely. Before you send sensitive 

information on e-mail, you must ensure that it can 

be done securely. Some computer viruses attack e- 

mail systems, making them unavailable. You 

should learn to recognize the signs of a virus 

infection. 
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E-mail Privacy and Security 
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Do not think of e-mail as being similar to a personal letter 
delivered to you in a sealed envelope by the post office. 
Instead, e-mail is more like a postcard. Most often, it gets 
dependably delivered but there may be opportunities along 
the way for people other than the addressee to view the 
contents. 

E-mail is not considered private. You should have no 
expectation of privacy when using e-mail to transmit, store 
and communicate information. Private information about 
veterans and employees (any information that pertains to a 
veteran or employee that is coupled with information that 
can identify the veteran or employee) are not permitted to 
be transmitted by email unless it is encrypted. 



E-mail is not considered secure. E-mail systems, including VA's, are vulnerable to virus 
attacks. In fact, most computer viruses are spread through e-mail messages (See E-mail 
Etiquette). 



E-mail hints for work and home. 



Utilize virus-scanning software. Be sure it is kept 
up-to-date. Scan all e-mails and attachments 
sent to you. 

Always be cautious in opening e-mail from 
people you don't know. Make sure the subject 
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lines are appropriate before opening. If you are not sure whether the e-nnail is 
legitinnate, then contact the sender by phone. 

• Don't open attachnnents fronn people you don't know. 

• Utilize e-nnail in an appropriate nnanner. Don't forward or create hoaxes or 
ask people to nnodify their connputer systenns. Don't spread runnors using e- 
nnail. Be suspicious of any nnessage that tells you to forward it to others. 

• Unsubscribe fronn nnailing lists in which you are no longer interested. 

• Don't participate in "nnail-stornns" involving scores (or hundreds or even 
thousands) of users responding "nne too!" or "thanks" or even "please stop." 

• Use "reply to all" sparingly. Does everyone in your large nnail group really 
need to see your response? Often, it is nnore appropriate to linnit your 
response to just the sender. 

Where do you go for infornnation about the security or e-nnail, questionable, innproper, or 
illegal e-nnail nnessages? You should consult your supervisor or local Infornnation Security 
Officer (ISO) to ensure that VA e-nnail is being used properly and securely or if you have 
questions about these issues. 
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E-mail Etiquette Page 2 of 3 

Have you ever received an e-mail that was sent to a big distribution list that you didn't 
really need or want? Did you "Reply-to- All" asking why you were sent the nnessage or 
asking to be rennoved fronn the nnessage thread? When you do that, two things happen. 
First, you nnonopolize lots of people's tinne opening and reading your nnessage. Second, the 
VA network gets flooded with nnessages that don't really contribute to our work. This flood 
of nnessages actually reduces the perfornnance of VA's network, especially when people 
"Reply- to- All" to the responses. If you need to be taken off a thread, please contact the 
sender only. That way, our network can use its power to help us with our nnission. For nnore 
infornnation about E-nnail etiquette, see 

http://vaww.vaco.va.gov/goodinfo/nnailetiquette.htnn, or contact your Infornnation Security 
Officer. 



Page 24 of 40 



Case 1 :06-cv-01038-JR Document 15-21 Filed 1 1/20/2006 Page 31 of 48 



Risk Awareness Page 3 of 3 

Replying to unsolicited spann ennail is nnore likely to increase the nunnber of nnessages sent 
to your address. When a spannnner receives a reply, they can then be sure that your ennail 
address is valid. This can be exploited in the sanne way when spann ennails offer you the 
option to unsubscribe, since this validates your ennail address to the spannnners who often 
increase the nunnber of ennails to that address. Ennail addresses can easily be faked, this is 
called spoofing. If the content of ennail is particularly private or innportant then increased 
security in the fornn of encryption (reduces the likelihood of the nnessage contents being 
read) nnay be considered. Most cryptographic systenns also validate the integrity of the 
nnessage to prevent tannpering during transnnission. If in any doubt contact your ISO for 
advice or consider another, nnore appropriate transnnission nnethod. 
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Practice Exam 2 
Lesson 4 - Privacy 

If you handle healthcare information in your job at VA, you need to know about . 

a. e-nnail etiquette 

b. HIPAA 

c. Federal Infornnation Security Managennent Act 

d. viruses 

Lesson 5 - Baclcups 

Which of the following itenns is NOT reconnnnended when backing up your files? 

a. Store files in a single location. 

b. Identify the work on the storage nnediunn. 

c. Verify access to your storage nnediunn. 

d. Backing up software progranns such as Word on your storage nnediunn. 

What is a backup? 

a. Keeping your supervisor and coworkers infornned about where you keep innportant 
docunnents and files. 

b. Routinely copying your connputer and ennail files to a second storage nnediunn. 

c. Creating duplications of innportant files and docunnents for storage with the 
originals." 

d. I nfornning your I SO every tinne your teann creates an innportant docunnent. 

Lesson 6 - Email 

What should you do if you receive a chain letter in an ennail? 

a. Follow the instructions in the ennail if it doesn't take too nnuch of your tinne. 

b. Delete the ennail. 

c. Forward the ennail to your ISO. 

d. Reply to the ennail with a "please stop" nnessage. 

What should you do if you receive an ennail attachnnent fronn sonneone you don't know? 

a. Do not open the attachnnent. 

b. Open the attachnnent if the subject line seenns appropriate. 

c. Reply to the ennail and request nnore infornnation. 

d. Open the attachnnent if your virus software doesn't alert you not to. 
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Viruses 



Page 1 of 2 











Do you know that computer viruses can be one of the 
biggest causes of business loss at VA? High-tech vandals 
have created ever-nnore dangerous infectious progranns that, 
in the past, have overconne VA's defenses. When that 
happens the data we depend on to fulfill our nnission is 
connpronnised. It takes tinne and nnoney to defend against 
viruses. It requires ennployee tinne to recover fronn attacks. 
Viruses nnake our jobs nnore difficult and steal resources 
away fronn our prinnary nnission of serving veterans. Take an 
active role in virus defense. Find out if the connputer you are 
using is protected. When anti-virus progranns are loading, let 
thenn run to connpletion. Be suspicious of e-nnail nnessages 
fronn people you do not know as well as of unexpected 
nnessages fronn people you do know. Look for suspicious activity, like a constantly active 
hard drive. Make sure data files and progranns you load on your connputer are authorized 
and free fronn viruses. 

I nnprovennents in technology have pernnitted VA to institute an enterprise-wide anti-virus 
defense progrann. Often, anti-virus software is autonnatically installed and updated. 
Nonetheless, new viruses are an everyday occurrence, and anti-virus software offers no 
protection fronn newly developed, unknown viruses. Viruses can be spread fronn inside as 
well as fronn outside VA. Learn how tell if the anti-virus progranns on your work and honne 
connputers are running and current. 
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Public peer-to-peer File Sharing Page 2 of 4 

Public peer-to-peer file sharing (commonly known as "P2P") is prohibited in VA. P2P refers 
to programs that allow anonymous sharing of files between computers. While there can be 
legitimate uses for P2P, more often these programs promote violations of copyright laws 
through exchange and distribution of music, videos, and games. 

In addition, public P2P is prohibited in VA because P2P programs may include viruses and 
"spyware". Without your knowledge or permission, spyware programs track and send 
information about you and your computer to thieves and hackers. This exposes you, your 
coworkers, veterans, and their families to the possibility of identity theft and theft of credit 
card, medical, and other personal or financial information. Transferring files using P2P has 
a very significant impact on VA's wide area network because it slows down or delays 
transmission of legitimate work. 

VA Memorandum "Prohibition on the Use of Public Peer-To-Peer File Sharing Programs" 
establishes policies that forbid loading, installing, or using public peer to peer programs. 
This memorandum and associated policies are available at the Office of Cyber and 
Information Security web portal at http://vaww.ocis.va.gov. 

Some common public P2P programs are KaZaA, Freewire, Grokster, and Morpheus. A 
complete list is available at the Office of Cyber and Information Security web portal at 
http://vaww.ocis.va.gov. 

Use of VA computing resources for public peer-to- peer file sharing violates VA Directive 
6001 "Limited Personal Use of Office Equipment". Don't be a victim. Practice safe 
computing. Contact your information security officer if you think your computer may have 
P2P software or spyware. 
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Worms and Trojan Horses 



Page 3 of 4 



Improvements in technology have permitted VA to institute an enterprise-wide anti-virus 
defense program. Often, anti-virus software is automatically installed and updated. 
Nonetheless, new viruses are an everyday occurrence, and anti-virus software offers no 
protection from newly developed, unknown viruses. Viruses can be spread from inside as 
well as from outside VA. Learn how to tell if the anti-virus programs on your work and home 
computers are running and current. 

Worms and Trojan Horses is software specifically designed to dannage, corrupt, 
and disrupt a connputer or network system is collectively known as malicious 
software, or "malware." It may be called a virus or worm and be carried by a Trojan 
horse. Here are some basic definitions for types of malware and how they impact 
your system. 

A virus is a software program loaded onto your computer and executed without 
your knowledge. 

One type of virus is called a worm. Worms can replicate themselves. A simple virus that can 
make a copy of itself over and over again is relatively easy to produce. A worm can be 
dangerous because it quickly uses all the available memory of your system and bring it to a 
halt. Viruses capable of transmitting themselves across the network and bypassing VA 
protections are even more dangerous because they infect system after system within the 
VA. 
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Another type of virus is called a "Trojan Horse." The term Trojan Horse 
comes from a story in Homer's Iliad, in which ancient Greeks give a 
giant wooden horse to their foes, the Trojans, as a peace offering. After 
the Trojans drag the horse inside their city walls, Greek soldiers sneak 
out of the horse's hollow belly and open the city gates, allowing their 
compatriots to pour in, capture and destroy the city of Troy. As the 
name implies, these destructive programs masquerade as benign 
applications. Trojan Horses do not replicate themselves but they can be 
just as destructive. Their mission is to carry destructive viruses and 
introduce them into your computer or network. One of the most 
insidious types of Trojan Horse programs is one that claims to rid your 
computer of viruses but instead introduces viruses onto your computer. 



Viruses can be contracted through a variety of access 
points on your computer, from a software diskette, a CD- 
ROM, DVD, removable storage medium (zip drives, etc.) 
or e-mail. 

Malicious e-mail hoaxes are not viruses, but they are also 
potentially dangerous. In most cases, the sender asks you 
to forward a warning message "to everyone you know." 
The hoax may request the recipient to take corrective 
action, which instead, disables your system. A good 




Page 29 of 40 



Case 1 :06-cv-01038-JR Document 15-21 Filed 1 1/20/2006 Page 36 of 48 



example of an e-mail hoax is one that has a subject line: "Delete this file immediately." The 
message provides instructions on how to locate a critical computer system file and delete it. 
Even seemingly well-intentioned messages, when forwarded by thousands of recipients to 
thousands more recipients are bad because they slow down the entire VA network. In turn, 
this delays our important work of serving America's veterans. 

Symptoms 

If your computer has any of these symptoms, there may be a problem. 
Your computer: 



reacts slower than usual. 

stops running for no apparent reason 

fails to boot. 

seems to be missing important files. 

prevents you from saving your work. 








Virus defense for work and home 

In VA, all computers are required to have virus protection software. To be effective, the 
virus protection software must be kept up to date. New updates are usually issued every 

week. Contact your ISO or information technology staff if your VA 
computer is not up to date. While many sites automatically update 
virus protection software on networked computers, remember that 
non-networked computers, particularly VA issued laptops, will not 
receive automatic updates to virus protection software. If your 
computer is not networked it is particularly important that you 
assure that the virus protection software is regularly updated. 

• Delete e-mail messages with unusual subject lines, for example, "Open this 
immediately." 

• Never stop or disable your anti-virus program. 

• Always allow an anti-virus program to perform its routines without 
interruption. 

• Back up your files on a regular schedule. 

• Have your virus protection software set to scan your e-mails and 
attachments. 

• Be cautious and sensitive to attachments that have file extensions that 
execute system commands or applications. For example: .exe, .vbs, .js, .jse, 
.wsf, .vbe and .wsh. 

• Unless you can verify, do not delete any system files based on a request 
made on e-mail. 

To learn more about computer viruses and your role in virus defense, talk to your 
Information Security Officer (ISO). 
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Risk Awareness Page 4 of 4 

As software applications become more feature rich and offer greater integration, the 
potential harnn caused by virus code can be disastrous. The integration pernnits a blending 
of threats and can create a donnino effect between each application, which can nnake tracing 
and preventing virus code very difficult. Virus code effectively puts part or the whole of your 
systenn beyond your control in ways that can be obvious or totally transparent to you. If you 
open an attachnnent, especially, if it appears to do nothing, you should be aware that 
sonnething has possibly started which will be use your connputer's resources and nnay store 
infornnation that can connpronnise you in sonne way later. As virus code beconnes nnore 
sophisticated, so nnust you beconne nnore aware of the expected results of each action you 
carry out and the exceptions that can occur? Virus writers are very aware of what you see 
on a day-to-day basis and will attennpt to nnake their viruses look exactly like the 
applications you use. In this type of environnnent, it is essential that you are diligent and 
connpletely aware of what you know you have to do within each application and beconne 
highly critical any tinne deviations fronn what you expect are requested. 
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I ncidents 



Page 1 of 1 



Take a few moments to consider how important VA's computers are in conducting our 
business. Almost everything we do depends on our computers. Unfortunately, the same 

computers that help us serve veterans can 
also be used for theft and fraud. Electronic 
viruses can attack our computers. They can 
be stolen and vandalized. They can be used 
to distribute sensitive information to those 
not authorized to receive it. All these are 
examples of computer- related incidents. It 
is important to let your supervisor and 
Information Security Officer (ISO) know 
when you witness such incidents. Your ISO 
will contact the VA Security Operations 
Center (SOC) (VA SOC). Reporting cyber 
security incidents helps VA to reduce the 
negative impact of these events and to 
improve VA's information processing ability. 




The VA SOC was established to fulfill VA's need to ensure that computer security incidents 
are detected, reported and corrected as quickly as possible, and with minimal impact. VA 
SOC's primary responsibilities are to: 

• Serve as a central clearinghouse for all reported incidents, security alerts, and 
notifications; 

• Ensure additional SOC resources for all VA incidents as needed; 

• Coordinate effective notification of and response to all reported incidents; 

• Notify proper officials in each organization of reported incidents. 

I ncident Do's and Don'ts 

When you think a computer security incident 
may have occurred, you should 

• Gather details of the incident so you 
can communicate specific information 
to your ISO. 

• Collect the date, time, location, and 
involved computer systems. 

• Describe what you believe happened. 

• Copy any error messages displayed on your computer screen. 

• Copy any involved web addresses, server names, or IP addresses. 

Time may be of the essence. Don't wait to call your ISO. 

E-mail may not be the best way to report the incident. You may need to contact your ISO 

by phone or in person. 





Limit discussion of the incident to only those with a specific need to know, 
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Do not discuss the incident with the nnedia (radio, TV, newspapers) or anyone outside of 
your facility without first consulting your ISO and facility nnanagennent. 

To report a cyber security problenn, your prinnary point of contact is your VA infornnation 
security officer. 

Risk Awareness 

Most successful security threats involve carrying out very sinnple routine tasks such as 
copying, saving, nnodifying or deleting files. Sonne of the nnost connplicated incidents 
perpetrated have been based on connbinations of these elennents. We have beconne 
accustonned to nnaking quick decisions about such actions and under the pressure of heavy 
workloads we nnay be tennpted to let down our guard in order to get the job done. Hackers 
rely on these conditions by connbining nnessages and requests that look nornnal to users. 
The key to effective incident prevention lies in your ability to establish the context of the 
request and to clearly establish where you are within the task you are conducting at the 
tinne. This will ensure you know whether it is appropriate to accept the nnodification of a 
connputer setting or that a file should be deleted. 
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VA Cyber Security: Part of I nfrastructure Protection 
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As a VA employee, you must be aware that the Department's 
information systems are part of America's strategic infrastructure. We 
are expected to maintain our ability to provide veteran services even in 
times of national tension. VA's information systems not only enable us 
to provide efficient services to America's veterans, they also enable VA 
to work with other agencies, including the Departments of Defense 
(DoD), Health and Human Services (HHS), and Homeland Security. In 
addition to our primary mission of serving veterans, VA has a role in 
responding to a variety of regional 
and national emergencies. 




The FBI has warned all Federal agencies that their 
systems and the information in those systems are 
potential targets for an ever-increasing number of cyber 
attacks. Now more than ever, the VA's systems and the 
information they contain must be available to serve our 
nation and its veterans. Please be alert to anything that 
might compromise VA's cyber security. Immediately 
report any incidents to your Information Security Officer. 
If they are unavailable, contact VA SOC at 1-877-279- 
8856. 



Contact your facility Information Security Officer (ISO) if 

you have questions about cyber security issues. For General information about VA's Cyber 

Security program contact your local VA Information Security Officer. 

Risic Awareness 

The nature of work at the VA and its close involvement with the Strategic Infrastructure 
program may increase the likelihood and diversity of attacks on its information and 
systems. This heightened risk makes it more important for VA staff to know their jobs better 
to correctly decide appropriate procedures and courses of action to take in the event of 
unusual activity. 
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Practice Exam 3 Page 1 of 1 

Lesson 7 - Viruses 

Software specifically designed to damage, corrupt, and disrupt a connputer or network 
systenn is collectively known as: 

a. Connputer destroyer 

b. Malicious software, or "nnalware" 

c. J unk nnail 

d. Spann 

Lesson 8 - I ncidents 

Hackers require users to carry out connplex instructions in order to carry out attacks. 

a. True 

b. False 

When you are aware that a connputer security incident has occurred, you should: 

a. Contact your friend down the hall and ask what to do. 

b. Gather details of the incident so you can connnnunicate specific infornnation to your 
ISO. 

c. Contact your local nnedia (TV, Radio, etc). 

When you are aware that a connputer security incident has occurred, you should: 

a. Contact your friend down the hall and ask what to do. 

b. Gather details of the incident so you can connnnunicate specific infornnation to your 
ISO. 

c. Contact your local nnedia (TV, Radio, etc). 

Lesson 9 - I nfrastructure Protection 

VA infornnation systenns enable the Departnnent to work with other agencies, including 
Departnnent of Defense (DoD), Health and Hunnan Services (HHS), and Honneland Security 
during tinnes of national ennergency. 

a. True 

b. False 
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Social Engineering 
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Have you heard of "social engineering?" Social engineering is an 
unauthorized person's nnanipulation of your trust to get you to give up 
infornnation or resources that you should not give out. This is an 
innportant infornnation security issue! 

Make sure when you are asked by sonneone to provide infornnation or 
allow the use of your connputer or accounts (in person, over the phone, 
or electronically), that you are certain of who they are and of their 
authorization to have/use that infornnation or access as part of their 
job. Dishonest "social engineers" look for ainnost any kind of infornnation to nnisuse, like 
your password or patient, budget, or ennployee infornnation. VA ennployees have a natural 
desire to be helpful and provide useful infornnation. Social Engineers try to take advantage 

of this to nnisuse resources or infornnation. 





One exannple of social engineering perpetrated on VA facilities connes in 
the fornn of a phone call fronn sonneone clainning to be fronn "the phone 
connpany." The thief says they are testing lines and long distance circuits 
and instructs the ennployee to dial a special code that gives the caller 
access to FTS long distance service. This scann has resulted in thousands 
of dollars worth of unauthorized calls being nnade 
at VA expense. 



Unauthorized disclosure of infornnation or granting of resources to 
dishonest social engineers are potentially bigger threats to you and 
VA than nnost connputer hackers. To learn nnore about social 
engineering and your role in defending against it, contact your 
Infornnation Security Officer (ISO). 

Risic Awareness 




As a result of innprovennents in system security and more secure processes, hackers 
generally require more information from different sources in order to compromise modern 
systems. This progress in risk mitigations systems and techniques has created a rise in the 
number and sophistication of the social engineering techniques employed by hackers. Social 
engineers will rarely ask for secure or confidential information directly and instead will 
gradually gain your confidence, often asking for nothing the first call in favor of building up 
confidence for a later time. This means that your diligence is becoming critically important 
and, in some cases, constitutes the last line of defense. 
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Authorized Use 
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governme 
limits and 
(ISO). 



The citizens of our country expect that as VA ennployees, we will 
not nnisuse or abuse the resources provided to us to acconnplish 
our nnission. As a VA ennployee, you nnay have the privilege of 
Sonne "Linnited Personal Use" of certain governnnent resources, 
such as connputers, e-nnail, Internet access, and telephone/fax 
service. This benefit is available only as long as it does not 
interfere with official VA business is perfornned on the 
ennployee's non-work tinne, involves nnininnal additional expense 
to the Governnnent, and is legal and ethical. Rennennber that 
your personal use nnay be linnited at any tinne either by your 
nnanagennent or by those responsible for the particular 
nt resource you want to use. Before using this privilege, you should discuss your 
responsibilities in using it with your supervisor and Infornnation Security Officer 





Ethics 

"Ethics is about understanding how your actions affect other people, knowing what is right 
and wrong, and taking personal responsibility for your actions..." 
- Winn Schwartau 

• Ethics deals with placing a "value" on acts according to whether they are "good" or 
"bad." Every society has its rules about whether certain acts are ethical or not. The 
sanne thing is true when using a VA connputer systenn to access confidential 
infornnation. 
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Misuse or I nappropriate Use Page 2 of 2 

Examples of Misuse or Inappropriate Use include the following: 

• Any personal use that could cause congestion, delay, or disruption of service 
to any Governnnent systenn or equipnnent. For exannple, continuous data 
streanns, video, sound, or other large file attachnnents that degrade 
perfornnance of VA's network. 

• Using VA systenns as a staging ground or platfornn to gain unauthorized 
access to other systenns. 

• The creation, copying, transnnission, or retransnnission of chain letters or 
other unauthorized nnass nnailings regardless of the subject nnatter. 

• Activities that are illegal, inappropriate, or 
offensive to fellow ennployees or the public. 
Such activities include hate speech, or 
nnaterial that ridicules others on the basis of 
race, creed, religion, color, sex, disability, 
national origin, or sexual orientation. 

• The creation, downloading, viewing, storage, 
copying, or transnnission of sexually explicit 
or sexually oriented nnaterials. 

• The creation, downloading, viewing, storage, 
copying, or transnnission of nnaterials related 
to gannbling, illegal weapons, terrorist 
activities, and any illegal activities or 
activities otherwise prohibited. 

• Use for connnnercial purposes or in support of "for profit" activities or in 
support of other outside ennploynnent or business activity (e.g. consulting for 
pay, sales or adnninistration of business transactions, sale of goods or 
services). 

• Engaging in any outside fund-raising activity, endorsing any product or 
service, participating in any lobbying activity, or engaging in any prohibited 
partisan political activity. 

• Posting agency infornnation to external newsgroups, bulletin boards, or other 
public forunns without authority. This includes any use that could create the 
perception that the connnnunication was nnade in one's official capacity as a VA 
ennployee (unless appropriate approval has been obtained), or uses that are 
at odds with the agency's nnission or positions. 

• Any use that could generate nnore than nnininnal additional expense to the 
governnnent. 

• The unauthorized acquisition, use, reproduction, transnnission, or distribution 
of any controlled infornnation including connputer software and data, that 
includes privacy infornnation; copyrighted, tradennarked, or nnaterial with 
other intellectual property rights beyond fair use; proprietary data; or export- 
controlled software or data. 

Be sure to discuss your linnits and responsibilities with your supervisor and Infornnation 
Security Officer (ISO). 

Risk Awareness 
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Most business use of computer systems is well defined and it is generally clear to the user 
when they go beyond the intended function of each application. Commercial applications are 
designed with access control and functional control in mind and as a result are less prone to 
accidental misuse. This distinction is less clear with non-business applications, particularly 
internet browser-based applications. Not only are these applications only generally 
protected, most web sites advertise using pop-ups, some of which masquerade as system 
messages, which, if run, can install unwanted applications, phone dialers and viruses on the 
computer. If business systems are used for personal purposes it may increase the risk these 
systems have to bear. Even though every reasonable precaution is taken to protect users 
and systems in both usage modes, it is always better to keep personal use of systems to a 
minimum, thus reducing the likelihood of any vulnerability being exploited and resulting in 
the system being compromised. 
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Practice Exam 4 Page 1 of 1 

Lesson 10 - Social Engineering 

Which is not an exannple of how a social engineer nnay gain your trust to get unauthorized 
infornnation: 

a. You receive an e-nnail nnessage fronn your new connputer service technician asking for 
your usernanne and password. 

b. You receive a phone call fronn the telephone connpany technician who needs your 
usernanne and password in order to connplete their testing of the phone lines in your 
facility. 

c. You receive a letter fronn the friend of a veteran asking for innportant nnedical 
infornnation. 

d. You receive a call telling you that they want to break into your connputer systenn. 

Social Engineering is an unauthorized person's nnanipulation of your trust to get you to give 
up infornnation or resources that you should not give out. 

a. True 

b. False 

Lesson 11 - Authorized Use 

The citizens of our country expect that as VA ennployees, we will not nnisuse or abuse the 
resources provided to us to acconnplish our nnission. 

a. True 

b. False 

As a VA ennployee, you nnay have the privilege of sonne \"Unlinnited Personal Use\" of certain 
governnnent resources, such as connputers, e-nnail, Internet access, and telephone/fax 
service. 

a. True 

b. False 

"Ethics is about understanding how your actions affect other people, knowing what is right 
and wrong, and taking personal responsibility for your actions..." 

a. True 

b. False 
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